Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption* **

Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption⋆ ⋆⋆ Benoˆıt Libert1 and Damien Vergnaud2 1

Universit´e Catholique de Louvain, Crypto Group Place du Levant, 3 – 1348 Louvain-la-Neuve – Belgium 2 Ecole Normale Sup´erieure – C.N.R.S. – I.N.R.I.A. 45, Rue d’Ulm – 75230 Paris CEDEX 05 – France

Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy re-encryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recently drawn renewed interest. Notably, Canetti and Hohenberger showed how to properly define (and realize) chosen-ciphertext security for the primitive. Their system is bidirectional as the translation key allows converting ciphertexts in both directions. This paper presents the first unidirectional proxy re-encryption schemes with chosen-ciphertext security in the standard model (i.e. without the random oracle idealization). The first system provably fits a unidirectional extension of the Canetti-Hohenberger security model. As a second contribution, the paper considers a more realistic adversarial model where attackers may choose dishonest users’ keys on their own. It is shown how to modify the first scheme to achieve security in the latter scenario. At a moderate expense, the resulting system provides additional useful properties such as non-interactive temporary delegations. Both constructions are efficient and rely on mild complexity assumptions in bilinear groups. Like the Canetti-Hohenberger scheme, they meet a relaxed flavor of chosen-ciphertext security introduced by Canetti, Krawczyk and Nielsen.

1

Introduction

The concept of proxy re-encryption (PRE) dates back to the work of Blaze, Bleumer, and Strauss in 1998 [11]. The goal of such systems is to securely enable the re-encryption of ciphertexts from one key to another, without relying on trusted parties. Recently, Canetti and Hohenberger [19] described a construction of proxy re-encryption providing chosen-ciphertext security according to an appropriate definition of the latter notion for PRE systems. Their construction is bidirectional in that any information to translate ciphertexts from Alice to Bob can also be used to translate from Bob to Alice. This paper deals with the case of unidirectional PRE schemes and answers the question of how to secure them against chosen-ciphertext attacks while keeping them efficient. We first achieve this goal in the sense of a natural extension of the Canetti-Hohenberger security definition to the unidirectional setting. Then, we re-consider chosen-ciphertext security in a model where weaker assumptions are made on how malicious parties’ public keys are generated. 1.1

Background

In a PRE scheme, a proxy is given a piece of information that allows turning a ciphertext encrypted under a given public key into an encryption of the same message under a different key. A naive way for Alice to implement such a mechanism is to simply store her private key at the proxy when she is unavailable: when a ciphertext is heading for her, the proxy decrypts it using ⋆ ⋆⋆

This is the full version of a paper with the same title presented in Public Key Cryptography 2008 [37] The first author acknowledges the financial support of the Belgian National Fund for Scientific Research (F.R.S.-F.N.R.S.) and the BCRYPT Interuniversity Attraction Pole. The second author is supported by the European Commission through the IST Program under Contract IST-2002-507932 ECRYPT and by the French Agence Nationale de la Recherche through the PACE project.

its copy of her secret key and re-encrypts the plaintext using Bob’s public key. The obvious problem with this strategy is that the proxy learns the plaintext and Alice’s private key. In 1998, Blaze, Bleumer and Strauss [11] (whose work is sometimes dubbed BBS) proposed the first proxy re-encryption scheme where the proxy is kept from knowing plaintexts and secret keys. It is based on a simple modification of the ElGamal encryption scheme [26]: let (G, ·) be a group of prime order p and let g be a generator of G; Alice and Bob publish the public keys X = gx and Y = gy (respectively) and keeps secret their discrete logarithms x and y. To send a message m ∈ G to Alice, a sender picks uniformly at random an integer r ∈ Zp and transmits the pair (C1 , C2 ) where C1 = X r and C2 = m · gr . The proxy is given the re-encryption key y/x y/x mod p to divert ciphertexts from Alice to Bob via computing (C1 , C2 ) = (Y r , m · gr ). This scheme is efficient and semantically secure under the Decision Diffie-Hellman assumption in G. It solves the aforementioned problem since the proxy is unable to learn the plaintext or secret keys x and y. Unfortunately, Blaze et al. pointed out an inherent limitation: the proxy key y/x also allows translating ciphertexts from Bob to Alice, which may be undesirable in situations where trust relationships are not symmetric. They left open the problem of designing PRE methods without this restriction. Another shortcoming of their scheme is that the proxy and the delegatee can collude to expose the delegator’s private key x given y/x and y. In 2005, Ateniese, Fu, Green and Hohenberger [3, 4] showed the first examples of unidirectional proxy re-encryption schemes based on bilinear maps. Moreover, they obtained the master key security property in that the proxy is unable to collude with delegatees in order to expose the delegator’s secret. The constructions [3, 4] are also efficient, semantically secure assuming the intractability of decisional variants of the Bilinear Diffie-Hellman problem [15]. These PRE schemes only ensure chosen-plaintext security, which seems definitely insufficient for many practical applications. Very recently, Canetti and Hohenberger [19] gave a definition of security against chosen ciphertext attacks for PRE schemes and described an efficient construction satisfying this definition. In their model, ciphertexts should remain indistinguishable even if the adversary has access to a re-encryption oracle (translating adversarially-chosen ciphertexts) and a decryption oracle (that “undoes” ciphertexts under certain rules). Their security analysis takes place in the standard model (without the random oracle heuristic [9]). Like the BBS scheme [11], their construction is bidirectional and they left as an open problem to come up with a chosen-ciphertext secure unidirectional scheme. 1.2

Related Work

Many papers in the literature – the first one of which being [38] – consider applications where data encrypted under a public key pkA should eventually be encrypted under a different key pkB . In proxy encryption schemes [33, 24], a receiver Alice allows a delegatee Bob to decrypt ciphertexts intended for her with the help of a proxy by providing them with shares of her private key. This requires delegatees to store an additional secret for each new delegation. Dodis and Ivan [24] present efficient proxy encryption schemes based on RSA, the Decision Diffie-Hellman problem as well as in an identity-based setting [42, 15] under bilinear-map-related assumptions. Proxy re-encryption schemes are a special kind of proxy cryptosystems where delegatees only need to store their own decryption key. They find applications in secure e-mail forwarding, digital rights management (DRM) or distributed storage systems (e.g. [3, 4]). The signature analogue, also suggested by Blaze, Bleumer and Strauss [11] in 1998, of PRE systems was formalized by Ateniese and Hohenberger [5] in 2005. The two techniques were notably combined [44] to design interoperable DRM systems where digital content can be translated between devices from different DRM domains. From a theoretical point of view, the first positive obfuscation result for a complex cryptographic functionality was recently presented by Hohenberger, Rothblum, shelat and Vaikun2

tanathan [32]: they proved the existence of an efficient program obfuscator for a family of circuits implementing re-encryption. In [29], Green and Ateniese studied the problem of identity-based PRE and proposed a unidirectional scheme that can be made chosen-ciphertext secure. Their security results are presented only in the random oracle model. Also, the recipient of a re-encrypted ciphertext needs to know who the original receiver was in order to decrypt a re-encryption. In the standard model, Chu and Tzeng [23] described another identity-based PRE scheme that extends to provide chosen-ciphertext security. Their scheme is both multi-hop and unidirectional but fails to provide collusion-resistance (also called master secret security in [3, 4]) as the delegator’s private key is trivially exposed when a dishonest delegatee and a proxy pool their information. More recently, Ateniese, Benson and Hohenberger [6] analyzed the notion of ciphertext anonymity (a.k.a. key privacy) in proxy re-encryption. This notion demands that even the proxy performing translations be unable to infer useful information on the identities of the participants between which it re-encrypts ciphertexts. 1.3

Our contributions

In the unidirectional case, this paper aims at achieving chosen-ciphertext security in the standard model without sacrificing other security properties such as collusion-resistance. While the scheme of [23] can be modified to satisfy some model of chosen-ciphertext security, it fails to protect the delegator against colluding delegatees and proxies. In particular, this scheme fails to satisfy our security modeling for first level ciphertexts. We believe that, as stressed in [3, 4], the security of delegators against malicious delegatees and proxies should be one of the pursued goals in the design of unidirectional schemes. To achieve this goal, we first generalize the work of Canetti and Hohenberger [19] and present the first construction of chosen-ciphertext secure and collusion-resistant3 unidirectional proxy re-encryption scheme in the standard model. Although only single-hop (like all known unidirectional schemes that resist collusions), our system is efficient and its security proof requires a non-interactive (and thus falsifiable [39]) complexity assumption in bilinear groups. It builds on the first unidirectional scheme from [3, 4], which we briefly recall at the beginning of section 3. The technique used by Canetti-Hohenberger to acquire CCA-security does not directly apply to the latter scheme because, in a straightforward adaptation of [19] to [3], the validity of translated ciphertexts cannot be publicly checked. To overcome this difficulty, we need to modify (and actually randomize) the re-encryption algorithm of Ateniese et al. so as to render the validity of re-encrypted ciphertexts publicly verifiable. As a second contribution (and a novelty w.r.t. the proceedings version of the paper [37]), we further strengthen our security model by allowing adversaries to inject their own keys in the system. A limitation of all known proxy re-encryption systems – even including passively secure or bidirectional ones [3, 19] – is that their security is analyzed in a model that implicitly makes the knowledge of secret key (KOSK) assumption [12] and does not capture a scenario where the generation malicious users’ public keys is left to adversaries themselves. The KOSK model is frequently used to hedge against certain harmful adversarial behaviors. It typically requires that, before being introduced in a multi-user system, any adversarially-controlled public key should be properly registered and knowledge of the matching secret key should be proven to the certification authority (CA). For the sake of simplicity, security proofs (e.g. [12, 8]) frequently assume that adversaries merely reveal their private key to a so-called ‘key registration authority’ 3

The earlier version [37] of this paper appeared before we became aware of the independent work [23] that focuses on the identity-based setting. The present one assumes traditional (i.e., non-identity-based) public keys and however considers stronger adversarial models: dishonest delegation partners are notably allowed to collude with proxies.

3

whenever they create a public key for themselves. As will be discussed in the second part of section 2.1, this requirement, that amounts to assume some ideal trusted key generation phase, may be worrisome to rely on in practice. We therefore show how to modify our first scheme to prove it secure in a more powerful model, called chosen key model, where the adversary can freely choose her own public keys without honestly following the specification of the key generation algorithm. In particular, she may even come up with public keys that are calculated as functions of honest users’ keys and for which she does not know the corresponding secret keys. To handle queries involving such wicked public keys, we use techniques that were first introduced for identity-based encryption [13]. Whenever users delegate some of their rights to another party, there is always the chance that they will either need or want to revoke those rights later on. In [3, 4], Ateniese et al. designed a unidirectional PRE scheme that allows for temporary delegations: that is, re-encryption keys can only be used during a restricted time interval outside which translations are not possible any longer. The latter temporary PRE assumes a trusted server periodically updating public parameters and also entails the participation of delegatees in each temporary delegation. As a third contribution, we devise4 a chosen-ciphertext secure scheme with temporary delegation in the chosen key model. Beyond its security against strong adversaries, one of the advantages of this new scheme is that temporary delegations remain non-interactive (i.e., no action from the delegatee is required at each temporary delegation) and do not require to rely on a trusted server publishing modified parameters at discrete time intervals. We additionally outline how to optimize the storage at the proxy when re-encryption rights are granted for several consecutive time periods. Our new scheme also lends itself to extensions such as keyword-controlled delegations, where proxy keys can only re-encrypt ciphertexts that are tagged with specific keywords. 1.4

Roadmap

The paper is organized as follows: we recall the concept of unidirectional proxy re-encryption and its security model in section 2.1. We review the properties of bilinear maps and the intractability assumption that our scheme relies on in section 2.2. Section 3 describes the main new scheme, gives the intuition behind its construction and a security proof. We give in section 4 the description of the scheme secure in the chosen-key model that additionnaly provides temporary delegation.

2

Preliminaries

2.1

Model and security notions

This section first recalls the syntactic definition of unidirectional proxy re-encryption suggested by Ateniese et al. [3, 4]. We then consider an appropriate definition of chosen-ciphertext security for unidirectional PRE schemes which is directly inferred from the one given by Canetti and Hohenberger [19] in the bidirectional case. Like [19], we consider security in the replayable CCA sense [20] where a harmless mauling of the challenge ciphertext is tolerated. Definition 1. A (single hop) unidirectional PRE scheme consists of a tuple of algorithms Global-setup, Keygen, ReKeygen, Enc1 , Enc2 , ReEnc, Dec1 , Dec2 ): - Global-setup(λ) → par: this algorithm is run by a trusted party that, on input of a security parameter λ, produces a set par of public parameters to be used by all parties in the scheme. 4

This novel construction improves the first example of chosen-ciphertext secure PRE with temporary delegations given in the first version [37] of the paper. Like [3, 4], the latter system required interactive delegations and dynamically changing public parameters.

4

- Keygen(λ, par) → (sk, pk): on input of public parameters par and a security parameter λ, all parties use this randomized algorithm to generate a private/public key pair (sk, pk). - ReKeygen(par, ski , pkj ) → Rij : given public parameters par, user i’s private key ski and user j’s public key pkj , this (possibly randomized) algorithm outputs a key Rij that allows translating second level ciphertexts intended for i into first level ciphertexts encrypted for j. - Enc1 (par, pk, m) → C: on input of public parameters par, a receiver’s public key pk and a plaintext m, this probabilistic algorithm outputs a first level ciphertext that cannot be reencrypted for another party. - Enc2 (par, pk, m) → C: given public parameters par, a public key pk and a plaintext m, this randomized algorithm outputs a second level ciphertext that can be re-encrypted into a first level one (intended for a possibly different receiver) using the suitable re-encryption key. - ReEnc(par, Rij , C) → C ′ : this (possibly randomized) algorithm takes as input public parameters par, a re-encryption key Rij and a second level ciphertext C encrypted under user i’s public key. The output is a first level ciphertext C ′ re-encrypted for user j. In a single hop scheme, C ′ cannot be re-encrypted any further. If the well-formedness of C is publicly verifiable, the algorithm should output ‘invalid’ whenever C is ill-formed w.r.t. Xi . - Dec1 (par, sk, C) → m: on input of a private key sk, a first level ciphertext C and system-wide parameters par, this algorithm outputs a plaintext m ∈ {0, 1}∗ or a message ‘invalid’. - Dec2 (par, sk, C) → m: given a private key sk, a second level ciphertext C and common public parameters par, this algorithm returns either a plaintext m ∈ {0, 1}∗ or ‘invalid’. Moreover, for any common public parameters par, for any message m ∈ {0, 1}∗ and any couple of private/public key pair (ski , pki ), (skj , pkj ) these algorithms should satisfy the following conditions of correctness: Dec1 (par, ski , Enc1 (par, pki , m)) = m; Dec2 (par, ski , Enc2 (par, pki , m)) = m; Dec1 (par, skj , ReEnc(par, ReKeygen(par, ski , pkj ), Enc2 (par, pki , m))) = m. To lighten notations, we will sometimes omit to explicitly write the set of common public parameters par, taken as input by all but one of the above algorithms. Chosen-ciphertext security. The definition of chosen-ciphertext security that we first consider is naturally inspired from the bidirectional case [19] which in turn extends ideas from Canetti, Krawczyk and Nielsen [20] to the proxy re-encryption setting. For traditional public key cryptosystems, in this relaxation of the Rackoff-Simon definition [40], an adversary who can simply turn a given ciphertext into another encryption of the same plaintext is not deemed successful. In the game-based security definition, the attacker is notably disallowed to ask for a decryption of a re-randomized version of the challenge ciphertext. This relaxed notion was argued in [20] to suffice for most practical applications. Security of second level ciphertexts. This first definition considers a challenger that produces a number of public keys. As in [19], we do not allow the adversary to adaptively determine which parties will be compromised. On the other hand, we also allow her to adaptively query a re-encryption oracle and decryption oracles. A difference with [19] is that the adversary A is directly provided with re-encryption keys that she is entitled to know (instead of leaving her adaptively request them as she likes). We also depart from [19], and rather follow [3, 4], in that we let the target public key be determined by the challenger at the beginning of the game. Unlike [3, 4], we allow the challenger to reveal re-encryption keys Rij when j is corrupt for honest users i that differ from the target receiver. We insist that such an enhancement only makes sense for single-hop schemes (as A would trivially win the game if the scheme were multi-hop). 5

Definition 2. A (single-hop) unidirectional PRE scheme is replayable chosen-ciphertext secure (RCCA) at level 2 if the probability Pr[(pk⋆ , sk⋆ ) ← Keygen(λ), {(pkx , skx ) ← Keygen(λ)}, {(pkh , skh ) ← Keygen(λ)}, {R⋆h ← ReKeygen(sk⋆ , pkh )}, {Rh⋆ ← ReKeygen(skh , pk⋆ )}, {Rhh′ ← ReKeygen(skh , pkh′ )}, {Rhx ← ReKeygen(skh , pkx )}, (m0 , m1 , St) ← AO1-dec ,Orenc pk⋆ , {pkh }, {(pkx , skx )}, {Rh⋆ }, {R⋆h },
{Rhx }, {Rhh′ } ,

R d⋆ ← {0, 1}, C ⋆ = Enc2 (md⋆ , pk⋆ ), d′ ← AO1-dec ,Orenc (C ⋆ , St) :

d′ = d⋆ ] is negligibly (as a function of the security parameter λ) close to 1/2 for any PPT adversary A. In our notation, St is the state information maintained by A while (pk⋆ , sk⋆ ) is the target user’s key pair generated by the challenger that also chooses other keys for corrupt and honest parties. For such other honest parties, keys are subscripted by h or h′ and we subscript corrupt keys by x. The adversary is given access to all non-trivial5 re-encryption keys but those that would allow re-encrypting from the target user to a corrupt one. In the game, A is said to have advantage ε if this probability, taken over random choices of A and all oracles, is at least 1/2 + ε. Oracles O1-dec , Orenc proceed as follows: – Re-encryption Orenc : on input (pki , pkj , C), where C is a second level ciphertext and pki , pkj were produced by Keygen, this oracle responds with ‘invalid’ if C is not properly shaped w.r.t. pki . It returns a special symbol ⊥ if pkj is corrupt and (pki , C) = (pk⋆ , C ⋆ ). Otherwise, the re-encrypted first level ciphertext C ′ = ReEnc(ReKeygen(ski , pkj ), C) is returned to A. – First level decryption O1-dec : given a pair (pk, C), where C is a first level ciphertext and pk was produced by Keygen, this oracle returns ‘invalid’ if C is ill-formed w.r.t. pk. If the query occurs in the post-challenge phase (a.k.a. “guess” stage as opposed to the “find” stage), it outputs a special symbol ⊥ if (pk, C) is a Derivative of the challenge pair (pk⋆ , C ⋆ ). Otherwise, the plaintext m = Dec1 (sk, C) is returned to A. Derivatives of (pk⋆ , C ⋆ ) are defined as follows. If C is a first level ciphertext and pk = pk⋆ or pk belongs to another honest user, we say that (pk, C) is a Derivative of (pk⋆ , C ⋆ ) if Dec1 (sk, C) ∈ {m0 , m1 }. Explicitly providing the adversary with a second level decryption oracle is useless. Indeed, ciphertexts encrypted under public keys from {pkh } can be re-encrypted for corrupt users given the set {Rhx }. Besides, second level encryptions under pk⋆ can be translated for other honest users using {R⋆h } and the resulting ciphertext can be queried for decryption at the first level. Remark. A possible enhancement of definition 2 is to allow adversaries to adaptively choose the target user at the challenge phase within the set of honest players. After having selected a set of corrupt parties among n players at the beginning, the adversary receives a set of n public keys, private keys of corrupt users as well as corrupt-to-corrupt, corrupt-to-honest and honest-to-honest re-encryption keys. When she outputs messages (m0 , m1 ) and the index i⋆ of a honest user in the challenge step, she obtains an encryption of md⋆ under pki⋆ together with all honest-to-corrupt re-encryption keys Rij with i 6= i⋆ . In this setting, a second level decryption oracle is also superfluous for schemes (like ours) 5

A non-trivial re-encryption key is one that the adversary cannot compute on her own. For instance, corruptto-honest proxy keys {Rxh } are trivial since the adversary can compute them using skx .

6

where second level ciphertexts can be publicly turned into first level encryptions of the same plaintext for the same receiver. The scheme that we describe remains secure in this model at the expense of a probability of failure for the simulator that has to foresee which honest user will be attacked with probability O(1/n). Security of first level ciphertexts. The above definition provides adversaries with a second level ciphertext in the challenge phase. A complementary definition of security captures their inability to distinguish first level ciphertexts as well. For single-hop schemes, A is granted access to all re-encryption keys in this definition. Since first level ciphertexts cannot be re-encrypted, there is indeed no reason to keep attackers from obtaining all honest-to-corrupt re-encryption keys. The re-encryption oracle becomes useless since all re-encryption keys are available to A. For the same reason, a second level decryption oracle is also unnecessary. Finally, Derivatives of the challenge ciphertext are simply defined as encryptions of either m0 or m1 for the same public key pk⋆ . A single-hop scheme is said RCCA-secure at level 1 if it satisfies this notion. Master secret security. In [3], Ateniese et al. define another important security requirement for unidirectional PRE schemes. This notion, termed master secret security, demands that no coalition of dishonest delegatees be able to pool their re-encryption keys in order to expose the private key of their common delegator. More formally, the following probability should be negligible as a function of the security parameter λ.  Pr (pk⋆ , sk⋆ ) ← Keygen(λ), {(pkx , skx ) ← Keygen(λ)}, {R⋆x ← ReKeygen(sk⋆ , pkx )}, {Rx⋆ ← ReKeygen(skx , pk⋆ )},  γ ← A(pk⋆ , {(pkx , skx )}, {R⋆x }, {Rx⋆ }) : γ = sk⋆

At first glance, this notion might seem too weak in that it does not consider colluding delegatees who would rather undertake to produce a new re-encryption key R⋆x′ that was not originally given and allows re-encrypting from the target user to another malicious party x′ . As stressed in [3] however, all known unidirectional schemes fail to satisfy such a stronger security level. It remains an open problem to construct systems withstanding these transfer of delegation attacks. In single-hop schemes, the notion of RCCA security at the first level is easily seen to imply the master secret security and we will only discuss the former. In the general multi-hop setting, the notion of master secret security appears to be the most appropriate one. However, no viable construction of multi-hop unidirectional system is known to date. As mentioned earlier, the scheme of [23] indeed fails to be master secret secure. Chosen-ciphertext security in the chosen-key model. In the previous definitions, we assume a static corruption model as in [19]. In definition 2 as well as in the model of [19], the challenger generates public keys for all parties and allows the adversary to obtain private keys for some of them. These models do not capture a scenario where adversaries may generate public keys on behalf of corrupt parties (possibly non-uniformly or as a function of honest parties’ public keys). All previous PRE systems as well as our first scheme are analyzed in models that implicitly make the knowledge of secret key (KOSK) assumption according to which users only publish public keys when they know the underlying private keys. In other settings (such as [12, 8]), similar restrictions are frequently imposed on adversarial behaviors: attackers are allowed to come up with their own public key but are required to also reveal the matching secret key. This mirrors the fact that, upon certification of their public key, users should provide certification authorities (CAs) with a proof of knowledge of their private key. In the known secret key model, security proofs take advantage of the fact that the simulator itself knows dishonest users’ secrets. It is tempting to justify this knowledge by arguing that, 7

upon key registration, the simulator can rewind the adversary to extract her private key using the knowledge extractor [7] of the proof. However, attention must be paid to the fact that rewinding is very problematic in inherently concurrent environments like the Internet. Then, CAs should mandate users to provide more involved and computationally more expensive proofs of knowledge (such as [27] in the random oracle model) that guarantee online extractability. As discussed in [10], current public key infrastructures (PKIs) do not bother to apply such thorough verifications that would suffice to realize the abstract KOSK model. In this paragraph, we consider a more realistic model where the adversary can arbitrarily choose public keys without demonstrating knowledge of the private keys. The only limitation is that all public keys should fall into some public key space (which is pre-determined by systemwide parameters shared by all parties in the system). This provides the adversary with much more flexibility and power in attacking other honest parties in the system. Schemes that are secure in the known secret key model may not necessarily be secure in the chosen-key model (although we did not find a strict separation in the context of proxy re-encryption). Security of second level ciphertexts. The definition of second level security in the chosen-key model considers a challenger that produces a set HU of honest users’ public keys. As in definition 2, the adversary is allowed to adaptively query a decryption oracle and a re-encryption oracle. This time however, the latter can be queried on input of adversarially-chosen delegatees’ public keys. The attacker is again directly provided with all re-encryption keys for which the delegator and the delegatee are both honest. As another enhancement w.r.t. definition 2, she is granted access to a delegation oracle that returns re-encryption keys on behalf of honest delegators for arbitrary delegatees’ public keys. By “arbitrary”, we mean that the adversary can choose any element of the pre-determined (and publicly recognizable) public key space without necessarily knowing the corresponding secret key. Such a key may even be invalid if the scheme supports invalid public keys (for which no private keys exists) that look like well-formed ones. In the next definition, we also let the target public key be chosen by the adversary (among all public keys in HU ) in the challenge phase. Definition 3. A (single-hop) unidirectional PRE scheme is replayable chosen-ciphertext secure in the chosen-key model (RCCA-CK) at level 2 if the probability Pr[{(pki , ski ) ← Keygen(λ)}i∈HU , {Rii′ ← ReKeygen(ski , pki′ )}i,i′ ∈HU
(m0 , m1 , i⋆ , St) ← AO1-dec ,Orenc ,Odeleg {pki }i∈HU , {Rii′ }i,i′ ∈HU , R d⋆ ← {0, 1}

C ⋆ = Enc2 (md⋆ , pki⋆ ) d′ ← AO1-dec ,Orenc ,Odeleg (C ⋆ , St) : d′ = d⋆ ] is negligibly (as a function of the security parameter λ) close to 1/2 for any PPT adversary A. In our notation, St is the state maintained by A while pki⋆ denotes the public key of the target user that is chosen by the adversary in the set HU . The adversary A is given access to all re-encryption keys between honest users. She is also allowed to query any re-encryption key but those that would allow re-encrypting from the target user i⋆ to some user under her control. In the game, A is said to have advantage ε if this probability, taken over random choices of A and all oracles, is at least 1/2 + ε. Oracles O1-dec , Orenc proceed as follows: – Delegation Odeleg : on input (pki , pk) with, where pki is a public key in HU (and i 6= i⋆ in any stage) and pk is a public key of A’s choosing (for which she is not required to reveal the private key), this oracle responds with the re-encryption key ReKeygen(ski , pk). We insist 8

that no such query can involve pki⋆ as a delegator at any time. – Re-encryption Orenc : on input (pki , pkj , C), where C is a second level ciphertext, pki ∈ HU was part of A’s input and pkj may be an arbitrary public key supplied by A (again without handing over the matching private key), this oracle responds with ‘invalid’ if C is not properly shaped w.r.t. pki . It returns a special symbol ⊥ if pkj 6∈ HU and (pki , C) = (pki⋆ , C ⋆ ). Otherwise, A obtains the re-encrypted ciphertext C ′ = ReEnc(ReKeygen(ski , pkj ), C). – First level decryption O1-dec : given a pair (pk, C), where C is a first level ciphertext and pk ∈ HU , this oracle returns ‘invalid’ if C is ill-formed w.r.t. pk. If the query occurs in the post-challenge phase, it outputs a special symbol ⊥ if (pk, C) is a Derivative of the challenge pair (pki⋆ , C ⋆ ). Otherwise, the plaintext m = Dec1 (sk, C) is revealed to A. Derivatives of (pki⋆ , C ⋆ ) are defined as previously. If C is a first level ciphertext and pk ∈ HU , we say that (pk, C) is a Derivative of (pki⋆ , C ⋆ ) if Dec1 (sk, C) ∈ {m0 , m1 }. Although more power is granted to the adversary, the above model is still non-adaptive. In a truly adaptive model, A would be allowed to dynamically corrupt users that are initially honest. In fact, the scenario of definition 3 is easily seen to be equivalent to a completely similar game (in particular, delegation and re-encryption queries are treated in the same way) where A first statically chooses which players she wants to corrupt within a set of n users before being given all public keys and corrupt users’ private keys. We leave open the problem of handling fully adaptive adversaries here. Security of first level ciphertexts. As in the known secret key model, a second definition of security captures the inability to distinguish first level ciphertexts as well. For single-hop schemes, the adversary is granted access to all re-encryption keys in this definition (i.e., this time, even pki⋆ can be the delegator’s public key when A invokes oracle Odeleg with delegatees’ public keys of her choosing). As above, the re-encryption oracle becomes useless since all possible re-encryption keys are made available to A. Again, Derivatives of the challenge ciphertext are simply defined as encryptions of either m0 or m1 for the same target public key pki⋆ . In fact the security of first level encryptions can be captured by a simpler definition where the adversary is challenged on a single honest user’s public key pk0 and is allowed to generate herself any other public key for which she makes delegation queries or re-encryption queries (the honest user being the delegator in either case). 2.2

Bilinear Maps and Complexity Assumptions

Groups (G, GT ) of prime order p are called bilinear map groups if there is a mapping e : G×G → GT with the following properties: 1. bilinearity: e(ga , hb ) = e(g, h)ab for any (g, h) ∈ G × G and a, b ∈ Z; 2. efficient computability for any input pair; 3. non-degeneracy: e(g, h) 6= 1GT whenever g, h 6= 1G . We shall assume the intractability of a variant, introduced for the first time in [14], of the R Decision Bilinear Diffie-Hellman (DBDH) problem which is, given (ga , gb , gc ) with a, b, c ← Z∗p , to distinguish e(g, g)abc from random elements of GT . Definition 4 ([14]). The q-weak Decision Bilinear Diffie-Hellman Inversion assumption (q-wDBDHI) posits the computational infeasibility of distinguishing e(g, g)b/a from random 9

2

q

given (g, ga , g(a ) , . . . , g(a ) , gb ). A distinguisher B (t, ε)-breaks the assumption if it runs in time t and R Pr[B(g, ga , g(a2 ) , . . . g(aq ) , gb , e(g, g)b/a ) = 1|a, b ← Z∗p ]

2 q R − Pr[B(g, ga , g(a ) , . . . , g(a ) , gb , e(g, g)z ) = 1|a, b, z ← Z∗p ] ≥ ε.

The q-wDBDHI problem is obviously not easier than the q-DBDHI problem [13], where the q challenge is to recognize e(g, g)1/a given (g, ga , . . . , g(a ) ) ∈ Gq+1 . Dodis and Yampolskiy [25] showed the generic hardness of q-DBDHI and their result implies the generic computational infeasibility of q-wDBDHI. Boneh, Boyen and Goh [14] also gave generic intractability results for a wide class of assumptions that encompasses q-wDBDHI and many others. To prove our results, we only use the above assumption for constant values of q whereas this parameter depends on the number of adversarial queries in several earlier applications (e.g. [25]). In our setting, the intractability of q-wDBDHI can be classified among mild decisional assumptions (according to the terminology of [18]) as its strength does not depend on the number of queries allowed to adversaries whatsoever. In some of our schemes, q = 1 even suffices and we obtain a slightly relaxed variant of the DBDH problem. The 1-wDBDHI assumption is indeed equivalent to the Squared Decision Bilinear Diffie-Hellman assumption which is the infeasibility 2 of deciding whether T = e(g, g)a b on input of (ga , gb ). 2.3

One-time signatures

As an underlying tool for applying the Canetti-Halevi-Katz methodology [22], we need one-time signatures. Such a primitive consists of a triple of algorithms Sig = (G, S, V) such that, on input of a security parameter λ, G generates a one-time key pair (ssk, svk) while, for any message M , V(σ, svk, M ) outputs 1 whenever σ = S(ssk, M ) and 0 otherwise. As in [22], we need strongly unforgeable one-time signatures, which means that no PPT adversary can create a new signature for a previously signed message (according to [2]). Definition 5. Sig = (G, S, V) is a strong one-time signature if the probability  Adv OTS = Pr (ssk, svk) ← G(λ); (M, St) ← F(svk); σ ← S(ssk, M ); (M ′ , σ ′ ) ← F(M, σ, svk, St) :  V(σ ′ , svk, M ′ ) = 1 ∧ (M ′ , σ ′ ) 6= (M, σ) ,

where St denotes F’s state information across stages, is negligible for any PPT forger F.

3

A Unidirectional Scheme in the Known Secret Key Model

Our construction is inspired from the first unidirectional scheme suggested in [3, 4] where second level ciphertexts (A, B) = (X r , m · e(g, g)r ), that are encrypted under the public key X = gx , can be re-encrypted into first level ciphertexts (e(A, Rxy ), B) = (e(g, g)ry , m · e(g, g)r ) using the re-encryption key Rxy = gy/x . Using his private key y s.t. Y = gy , the receiver can then obtain the message. The Canetti-Hohenberger method for achieving CCA-security borrows from [22, 17, 34] in that it appends to the ciphertext a checksum value consisting of an element of G raised to the random encryption exponent r. In the security proof, the simulator uses the publicly verifiable validity of ciphertexts in groups equipped with bilinear maps. Unfortunately, the same technique does not directly apply to secure the unidirectional PRE scheme of [3] against chosen-ciphertext attacks. The difficulty is that, after re-encryption, level 1 ciphertexts have one component in the 10

target group GT and pairings cannot be used any longer to check the equality of two discrete logarithms in groups G and GT . Therefore, the simulator cannot tell apart well-shaped level 1 ciphertexts from invalid ones. The above technical issue is addressed by having the proxy replace A with a randomized 1/t R pair (A′ , A′′ ) = (Rxy , C1t ) = (gy/(tx) , X rt ), for a random “blinding exponent” t ← Z∗p that hides the re-encryption key in C1′ , in such a way that all ciphertext components but C2 remain in G. This still allows the second receiver holding y s.t. Y = gy to compute m = C2 /e(A′ , A′′ )1/y . To retain the publicly verifiable well-formedness of re-encrypted ciphertexts however, the proxy needs to include X t in the ciphertext so as to prove the consistency of the encryption exponent r w.r.t. the checksum value. Of course, since the re-encryption algorithm is probabilistic, many first level ciphertexts may correspond to the same second level one. For this reason, we need to tolerate a harmless form of malleability (akin to those accepted as reasonable in [2, 20, 43]) of ciphertexts at level 1. 3.1

Description

Our system is reminiscent of the public key cryptosystem obtained by applying the CanettiHalevi-Katz transform [22] to the second selective-ID secure identity-based encryption scheme described in [13]6 . Like the Canetti-Hohenberger construction [19], the present scheme uses a strongly unforgeable one-time signature to tie several ciphertext components altogether and offer a safeguard against chosen-ciphertext attacks in the fashion of Canetti, Halevi and Katz [22]. For simplicity, the description below assumes that verification keys of the one-time signature are encoded as elements from Z∗p . In practice, such verification keys are typically much longer than |p| and a collision-resistant hash function should be applied to map them onto Z∗p . – Global-setup(λ): given a security parameter λ, choose bilinear map groups (G, GT ) of prime R order p > 2λ , generators g, u, v ← G and a strongly unforgeable one-time signature scheme Sig = (G, S, V). The global parameters are par := {G, GT , g, u, v, Sig}. R – Keygen(λ): user i sets his public key as Xi = gxi for a random xi ← Z∗p . – ReKeygen(xi , Xj ): given user i’s private key xi and user j’s public key Xj , generate the 1/x unidirectional re-encryption key Rij = Xj i = gxj /xi . – Enc1 (m, Xi , par): to encrypt a message m ∈ GT under the public key Xi at the first level, the sender proceeds as follows.

R G(λ) and set C1 = svk. 1. Select a one-time signature key pair (ssk, svk) ← R ∗ 2. Pick r, t ← Zp and compute

C2′ = Xit

C2′′ = g1/t

C2′′′ = Xirt

C3 = e(g, g)r · m

C4 = (usvk · v)r

3. Generate a one-time signature σ = S(ssk, (C3 , C4 )) on (C3 , C4 ).

6


The ciphertext is Ci = C1 , C2′ , C2′′ , C2′′′ , C3 , C4 , σ .

It was actually shown in [35] that, although the security of the underlying IBE scheme relies on a rather strong assumption, a weaker assumption such as the one considered here suffices to prove the security of the resulting public key encryption scheme.

11

– Enc2 (m, Xi , par): to encrypt a message m ∈ GT under the public key Xi at level 2, the sender conducts the following steps. R 1. Select a one-time signature key pair (ssk, svk) ← G(λ) and set C1 = svk. R ∗ 2. Choose r ← Zp and compute

C2 = Xir

C3 = e(g, g)r · m

C4 = (usvk · v)r

3. Generate a one-time signature σ = S(ssk, (C3 , C4 )) on the pair (C3 , C4 ).
The ciphertext is Ci = C1 , C2 , C3 , C4 , σ .

– ReEnc(Rij , Ci ): on input of the re-encryption key Rij = gxj /xi and a ciphertext Ci = (C1 , C2 , C3 , C4 , σ), check the validity of the latter by testing the following conditions e(C2 , uC1 · v) = e(Xi , C4 )

(1)

V(C1 , σ, (C3 , C4 )) = 1.

(2)

R If well-formed, Ci is re-encrypted by choosing t ← Z∗p and computing

C2′ = Xit

1/t

−1

C2′′ = Rij = g(xj /xi )t

C2′′′ = C2t = Xirt

The re-encrypted ciphertext is
Cj = C1 , C2′ , C2′′ , C2′′′ , C3 , C4 , σ .

If ill-formed, Ci is declared ‘invalid’. – Dec1 (Cj , skj ): the validity of a level 1 ciphertext Cj is checked by testing if e(C2′ , C2′′ ) = e(Xj , g)

(3)

e(C2′′′ , uC1

(4)

· v) =

e(C2′ , C4 )

V(C1 , σ, (C3 , C4 )) = 1

(5)

If relations (3)-(5) hold, the plaintext m = C3 /e(C2′′ , C2′′′ )1/xj is returned. Otherwise, the algorithm outputs ‘invalid’. – Dec2 (Ci , ski ): if the level 2 ciphertext Ci = (C1 , C2 , C3 , C4 , σ) satisfies relations (1)-(2), receiver i can obtain m = C3 /e(C2 , g)1/xi . The algorithm outputs ‘invalid’ otherwise. Outputs of the re-encryption algorithm are perfectly indistinguishable from level 1 ciphertexts produced by the sender. Indeed, if t˜ = txi /xj , we can write ˜

C2′ = Xit = Xjt

−1

C2′′ = g(xj /xi )t

˜−1

= gt

˜

C3′′′ = Xirt = Xjrt .

As in the original scheme described in [3], second level ciphertexts can be publicly turned into first level ciphertexts encrypted for the same receiver if the identity element of G is used as a re-encryption key. In the first level decryption algorithm, relations (3)-(5) guarantee that re-encrypted ciphertexts have the correct shape. Indeed, since C4 = (uC1 · v)r for some unknown exponent r ∈ Zp , equality (4) implies that C2′′′ = C2′r . From (3), it comes that e(C2′′ , C2′′′ ) = e(Xj , g)r . We finally note that first level ciphertexts can be publicly re-randomized by changing ′′1/s ′ (C2 , C2′′ , C3′′ ) into (C2′s , C2 , C3′′′s ) for a random s ∈ Z∗p . However, the pairing value e(C2′′ , C2′′′ ) remains constant and, re-randomizations of a given first level ciphertext are publicly detectable. 12

3.2

Security

For convenience, we will prove security under an equivalent formulation of the 3-wDBDHI assumption. 2

Lemma 1. The 3-wDBDHI problem is equivalent to decide whether T equals e(g, g)b/a or a 2 random value given (g, g1/a , ga , g(a ) , gb ) as input. 2

Proof. Given elements (g, g1/a , ga , g(a ) , gb , T ), we can construct a 3-wDBDHI instance by set2 3 2 ting (y = g1/a , y A = g, y (A ) = ga , y (A ) = g(a ) , y B = gb ), which implicitly defines A = a and 2 B = ab. Then, we have e(y, y)B/A = e(g1/a , g1/a )(ab)/a = e(g, g)b/a . The converse implication is easily established and demonstrates the equivalence between both problems. ⊓ ⊔ Theorem 1. Assuming the strong unforgeability of the one-time signature, the scheme is RCCAsecure at level 2 under the 3-wDBDHI assumption. 2

Proof. Let (g, A−1 = g1/a , A1 = ga , A2 = g(a ) , B = gb , T ) be a modified 3-wDBDHI instance. 2 We build an algorithm B deciding if T = e(g, g)b/a out of a successful RCCA adversary A. Before describing B, we first define an event FOTS and bound its probability to occur. Let C⋆ = (svk⋆ , C2⋆ , C3⋆ , C4⋆ , σ ⋆ ) denote the challenge ciphertext given to A in the game. Let FOTS be the event that, at some point, A issues a decryption query for a first level ciphertext C = (svk⋆ , C2′ , C2′′ , C2′′′ , C3 , C4 , σ) or a re-encryption query C = (svk⋆ , C2 , C3 , C4 , σ) where (C3 , C4 , σ) 6= (C3⋆ , C4⋆ , σ ⋆ ) but V(σ, svk, (C3 , C4 )) = 1. In the “find” stage, A has simply no information on svk⋆ . Hence, the probability of a pre-challenge occurrence of FOTS does not exceed qO · δ if qO is the overall number of oracle queries and δ denotes the maximal probability (which by assumption does not exceed 1/p) that any one-time verification key svk is output by G. In the “guess” stage, FOTS clearly gives rise to an algorithm breaking the strong unforgeability of the one-time signature. Therefore, the probability Pr[FOTS ] ≤ qO /p + Adv OTS , where the second term accounts for the probability of definition 5, must be negligible by assumption. We now proceed with the description of B that simply halts and outputs a random bit if FOTS occurs. In a preparation phase, B generates a one-time signature key pair (ssk⋆ , svk⋆ ) ← G(λ) ⋆ 1 svk and provides A with public parameters including u = Aα1 1 and v = A−α · Aα2 2 for random 1 α (svk−svk ⋆ ) R α1 , α2 ← Z∗p . Observe that u and v define a “hash function” F (svk) = usvk · v = A1 1 · α2 ⋆ A2 . In the following, we call HU the set of honest parties, including user i that is assigned the target public key pk⋆ , and CU the set of corrupt parties. Throughout the game, A’s environment is simulated as follows. • Key generation: public keys of honest users i ∈ HU \{i⋆ } are defined as Xi = Ax1 i = gaxi 2 x R for a randomly chosen xi ← Z∗p . The target user’s public key is set as Xi⋆ = A2 i⋆ = g(xi⋆ a ) R with xi⋆ ← Z∗p . The key pair of a corrupt user i ∈ CU is set as (Xi = gxi , xi ), for a random R xi ← Z∗p , so that (Xi , xi ) can be given to A. To generate re-encryption keys Rij from player i to player j, B has to distinguish several situations: x ⋆ /x

2

- If i ∈ HU \{i⋆ } and j = i⋆ , B returns Rii⋆ = A1 i i = gxi⋆ a /(axi ) which is a valid re-encryption key. 2 xi /xi⋆ - If i = i⋆ and j ∈ HU \{i⋆ }, B responds with Ri⋆ j = A−1 = g(axi /(xi⋆ a )) that has also the correct distribution. - If i, j ∈ HU \{i⋆ }, B returns Rij = gxj /xi = g(axj )/(axi ) . x /xi

j - If i ∈ HU \{i⋆ } and j ∈ CU , B outputs Rij = A−1

= gxj /(axi ) which is also computable.

• Re-encryption queries: when facing a re-encryption query from user i to user j for a second level ciphertext Ci = (C1 , C2 , C3 , C4 , σ), B returns ‘invalid’ if relations (1)-(2) are not satisfied. 13

- If i 6= i⋆ or if i = i⋆ and j ∈ HU \{i⋆ }, B simply re-encrypts using the re-encryption key Rij which is available in either case. - If i = i⋆ and j ∈ CU , · If C1 = svk⋆ , B is faced with an occurrence of FOTS and halts. Indeed, re-encryptions of the challenge ciphertext towards corrupt users are disallowed in the “guess” stage. Therefore, (C3 , C4 , σ) 6= (C3⋆ , C4⋆ , σ ⋆ ) since we would have C2 6= C2⋆ and i 6= i⋆ if (C3 , C4 , σ) = (C3⋆ , C4⋆ , σ ⋆ ). 1/x ⋆ · We are thus left with the case C1 6= svk⋆ , i = i⋆ and j ∈ CU . Given C2 i = Ar2 , α (svk−svk ⋆ ) · Aα2 2 )r , B can compute from C4 = F (svk)r = (A1 1 Ar1

C4

a r

= (g ) =

α /xi⋆

C2 2

!

1 α1 (svk−svk⋆ )

.

(6)

R Knowing gar and user j’s private key xj , B picks t ← Z∗p to compute

C2′ = At1 = gat

x /t

j C2′′ = A−1 = (g1/a )xj /t

C2′′′ = (Ar1 )t = (gar )t

and return Cj = (C1 , C2′ , C2′′ , C3′′′ , C3 , C4 , σ) which has the proper distribution. Indeed, if we set t˜ = at/xj , we have ˜

˜

C2′ = Xjt

˜

C2′′ = g1/t

C2′′′ = Xjrt .

• First level decryption queries: at any time, A may ask for the decryption of a first level ciphertext Cj = (C1 , C2′ , C2′′ , C2′′′ , C3 , C4 , σ) under a public key Xj . For such a request, B returns ‘invalid’ if relations (3)-(5) do not hold. We assume that j ∈ HU since B can decrypt using the known private key otherwise. Let us first assume that C1 = C1⋆ = svk⋆ . If (C3 , C4 , σ) 6= (C3⋆ , C4⋆ , σ ⋆ ), B is presented with an occurrence of FOTS and halts. If (C3 , C4 , σ) = (C3⋆ , C4⋆ , σ ⋆ ), B outputs ⊥ which deems Cj as a Derivative of the challenge pair (C ⋆ , Xi⋆ ). Indeed, it must be the case that e(C2′′ , C2′′′ ) = e(g, Xj )r for the same underlying exponent r as in the challenge phase. We now assume C1 6= svk⋆ . - If j ∈ HU \{i⋆ }, Xj = gaxj for a known xj ∈ Z∗p . The validity of the ciphertext ensures ⋆ 2 that e(C2′′ , C2′′′ ) = e(Xj , g)r = e(g, g)arxj and C4 = F (svk)r = gα1 ar(svk−svk ) · ga rα2 for some r ∈ Zp . Therefore, ⋆

e(C4 , A−1 ) = e(C4 , g1/a ) = e(g, g)α1 r(svk−svk ) · e(g, g)arα2

(7)

and r

e(g, g) =



e(C4 , A−1 ) e(C2′′ , C2′′′ )α2 /xj



1 α1 (svk−svk⋆ )

(8)

reveals the plaintext m since svk 6= svk⋆ . 2 - If j = i⋆ , we have Xj = g(xi⋆ a ) for a known exponent xi⋆ ∈ Z∗p . Since we know that 2 rx

e(C2′′ , C2′′′ ) = e(Xi⋆ , g)r = e(g, g)a ⋆

i⋆ 2 rα 2

e(C4 , g) = e(g, g)α1 ar(svk−svk ) · e(g, g)a

,

B can first obtain ar

γ = e(g, g)

=



e(C4 , g) ′′ e(C2 , C2′′′ )α2 /xi⋆ 14



1 α1 (svk−svk⋆ )

.

Together with relation (7), γ in turn uncovers r

e(g, g) =



e(C4 , A−1 ) γ α2 /xi⋆



1 α1 (svk−svk⋆ )

and the plaintext m = C3 /e(g, g)r . In the “guess” stage, B must check that m differs from messages m0 , m1 involved in the challenge query. If m ∈ {m0 , m1 }, B returns ⊥ according to the RCCA-security rules. • Challenge: when she decides that the first phase is over, A chooses messages (m0 , m1 ). At R this stage, B flips a coin d⋆ ← {0, 1} and generates the challenge ciphertext C⋆ as C1⋆ = svk⋆

C2⋆ = B xi⋆

C3⋆ = md⋆ · T

C4⋆ = B α2

and σ = S(ssk⋆ , (C3⋆ , C4⋆ )). x

2

Since Xi⋆ = A2 i⋆ = gxi⋆ a and B = gb , C⋆ is a valid encryption of md⋆ with the random 2 exponent r = b/a2 if T = e(g, g)b/a . In contrast, if T is random in GT , C⋆ perfectly hides md⋆ and A cannot guess d⋆ with better probability than 1/2. When A eventually outputs her result 2 d′ ∈ {0, 1}, B decides that T = e(g, g)b/a if d′ = d⋆ and that T is random otherwise. ⊓ ⊔ Theorem 2. Assuming the strong unforgeability of the one-time signature, the scheme is RCCAsecure at level 1 under the 3-wDBDHI assumption. Proof. The proof is very similar to the one of theorem 1. We construct an algorithm B that 2 is given a 3-wDBDHI instance (g, A−1 = g1/a , A1 = ga , A2 = g(a ) , B = gb , T ) and uses the 2 adversary A to decide if T = e(g, g)b/a . Before describing B, we consider the same event FOTS as in the proof of theorem 1 except that it can only arise during a decryption query (since there is no re-encryption oracle). Assuming the strong unforgeability of the one-time signature, such an event occurs with negligible probability as detailed in the proof of theorem 1. We can now describe our simulator B that simply halts and outputs a random bit if FOTS ever occurs. Let also C⋆ = (C1⋆ , C2′ ⋆ , C2′′ ⋆ , C2′′′ ⋆ , C3⋆ , C4⋆ , σ ⋆ ) denote the challenge ciphertext at the first level. Algorithm B generates a one-time key pair (ssk⋆ , svk⋆ ) ← G(λ) and the same public param⋆ R 1 svk · Aα2 2 with α1 , α2 ← Z∗p so that eters as in theorem 1. Namely, it sets u = Aα1 1 and v = A−α 1 α (svk−svk ⋆ )

F (svk) = usvk · v = A1 1 · Aα2 2 . As in the proof of theorem 1, i⋆ identifies the target receiver. The attack environment is simulated as follows. • Key generation: for corrupt users i ∈ CU and honest ones i ∈ HU \{i⋆ }, B sets Xi = gxi for R a random xi ← Z∗p . The target user’s public key is defined as Xi⋆ = A1 . For corrupt users i ∈ CU , Xi and xi are both revealed. All re-encryption keys are computable and given to xj 1/x A. Namely, Rij = gxj /xi if i, j 6= i⋆ ; Ri⋆ j = A−1 and Rji⋆ = A1 j for j 6= i⋆ . • First level decryption queries: when a ciphertext Cj = (C1 , C2′ , C2′′ , C2′′′ , C3 , C4 , σ) is queried for decryption w.r.t. a public key Xj , B returns ‘invalid’ if relations (3)-(5) do not hold. We assume that j = i⋆ since B can decrypt using the known private key xj otherwise. We have ∗ ′′ ′′′ ar C2′ = At1 , C2′′ = g1/t , C2′′′ = Art 1 for unknown exponents r, t ∈ Zp . Since e(C2 , C2 ) = e(g, g) and ⋆ e(C4 , A−1 ) = e(g, g)α1 r(svk−svk ) · e(g, g)arα2 , B can obtain r

e(g, g) =



e(C4 , A−1 ) e(C2′′ , C2′′′ )α2 15



1 α1 (svk−svk⋆ )

which reveals the plaintext m = C3 /e(g, g)r as long as svk 6= svk⋆ . In the event that C1 = svk⋆ in a post-challenge query, - If e(C2′′ , C2′′′ ) = e(C2′′ ⋆ , C2′′′ ⋆ ), B returns ⊥, meaning that Cj is simply a re-randomization (and thus a Derivative) of the challenge ciphertext. - Otherwise, we necessarily have (C3⋆ , C4⋆ , σ ⋆ ) 6= (C3 , C4 , σ), which is an occurrence of FOTS and implies B’s termination. In the “guess” stage, B must ensure that m differs from messages m0 , m1 of the challenge phase before answering the query. • Challenge: when the first phase is over, A outputs messages (m0 , m1 ) and B flips a bit R R d⋆ ← {0, 1}. Then, it chooses µ ← Z∗p and sets ⋆

⋆

1/µ

⋆

C2′ = Aµ2

C2′′ = A−1

C2′′′ = B µ

C1⋆ = svk⋆

C3⋆ = md⋆ · T

C4⋆ = B α2

and σ = S(ssk⋆ , (C3⋆ , C4⋆ )). Since Xi⋆ = A1 and B = gb , C⋆ is a valid encryption of md⋆ with the random exponents r = b/a2 2 and t = aµ whenever T = e(g, g)b/a . When T is random, C⋆ perfectly hides md⋆ and A cannot 2 guess d⋆ with better probability than 1/2. Eventually, B bets that T = e(g, g)b/a if A correctly guesses d⋆ and that T is random otherwise. ⊓ ⊔ 3.3

Efficiency

The first level decryption algorithm can be optimized using ideas from [34, 36]. Namely, verification tests (3)-(4) can be simultaneously achieved with high confidence by the receiver who R can choose a random α ← Z∗p and test whether e(C2′ , C2′′ · C4α ) = e(g, g)xj . e(C2′′′ , usvk · v)α Hence, computing a quotient of two pairings (which is faster than evaluating two independent pairings [28]) and two extra exponentiations suffice to check the validity of the ciphertext. It could also be desirable to shorten ciphertexts that are significantly lengthened by one-time signatures and their public keys. To this end, ideas from Boyen, Mei and Waters [17] allow for fairly compact ciphertexts as components C1 and σ become unnecessary if the checksum value C4 is computed using the Waters “hashing” technique [45] applied to a collision-resistant hash of C3 . This improvement in the ciphertext size unfortunately comes at the expense of a long public key (made of about 160 elements of G as in [45]) and a loose reduction. In the random oracle model, we can simultaneously keep short public keys and ciphertexts if we compute C4 = H(C3 )r using a random oracle H : {0, 1}∗ → G. By programming the latter using standard techniques in the security proof, we additionally get a tight security reduction. It is also worth mentioning that the random oracle model allows dispensing with trusted setup assumptions for the generation of u, v ∈ G, the discrete logarithms of which must be safely erased by the trusted party performing the setup in the above description of the scheme.

4

Schemes in the Chosen-Key Model

In this section, we suggest modifications of our first scheme that can be proven secure in the sense of definition 3, where dishonest users’ public keys can be arbitrarily chosen on-the-fly by 16

the adversary invoking the delegation oracle and the re-encryption oracle. The main construction that we describe allows for temporary delegations: re-encryption keys are associated with definite time periods during which they can be used to translate ciphertexts. The simpler case where delegations are permanent is tackled with by merely instantiating the scheme with a single time period as explained in section 4.2. 4.1

A Non-Interactive Scheme with Temporary Delegation

We describe a scheme supporting temporary delegation. Like temporary unidirectional PRE suggested in [3, 4, 37]7 , it only allows the proxy to re-encrypt messages from A to B during a limited time period, but takes a different approach. Prior proposals involve a trusted server that changes system-wide parameters at discrete time intervals: at the beginning of period i, the server publicizes a group element hi ∈ G that erases the old one hi−1 . If the scheme must be prepared for L time periods, elements h1 , . . . , hL can alternatively be generated all at once at setup time. This removes the need for a trusted server but incurs linear public storage in the number of time periods. In the random oracle model, the sequence {hi }i=1,...,L can be derived from a random oracle but, even in this case, schemes of [3, 4, 37] retain an interactive (albeit simple) delegation protocol where delegatees publish a delegation acceptance value at the beginning of each period during which they must be able to receive delegations. We depart from [3, 4, 37] in that we do not assume changing public parameters produced by a trusted server. Public parameters are fixed for the lifetime of the system and we do not require the random oracle model either. Also, our delegation mechanism is kept entirely non-interactive and does not require any action from the delegatee who remains entirely passive: delegation is achieved via a single message sent by the delegator to the proxy as in section 3. We assume that the scheme is prepared for a polynomial (in λ) number L of time periods. In the description hereafter, both encryption algorithms and the re-encryption algorithm all take the period number ℓ as additional input. The scheme mixes the ideas of our first construction with the first identity-based encryption scheme suggested by Boneh and Boyen [13]. More precisely, the generation of re-encryption keys is randomized and actually reminiscent of the algorithm deriving decryption keys from identities in the IBE system (when period numbers are seen as identities). In a nutshell, the translation 1/x key from i to j during period ℓ ∈ {1, . . . , L} consists of a pair (Aijℓ , Bijℓ ) = (Xj i · Fi (ℓ)r , Xir ) R for some r ← Z∗p and where Fi : {1, . . . , L} → G is an identity-hashing function such as the one used in [13]. The pair (Aijℓ , Bijℓ ) satisfies e(Xi , Aijℓ ) = e(Xj , g) · e(Fi (ℓ), Bijℓ ). Then, when ciphertexts are computed as (Xis , Fi (ℓ)s , m · e(g, g)s ) at level 2, the underlying idea of the reencryption algorithm is to translate them into
(e(Xj , g)s , m · e(g, g)s ) = e(Xis , Aijℓ )/e(Fi (ℓ)s , Bijℓ ), m · e(g, g)s . In order to preserve the publicly verifiable validity of first level ciphertexts however, the technique of section 3 must be applied twice to postpone the (implicit) calculation of both e(Xis , Aijℓ ) and e(Fi (ℓ)s , Bijℓ ) until the decryption at level 1. – Global-setup(λ): is exactly as in section 4. Common parameters consist of
par := G, GT , g, u, v, Sig .

7

The original version of this paper [37] described a temporary scheme in the same vein as the one suggested by section 3.2 in [3, 4]. This section re-considers the problem of temporary unidirectional delegation by removing interaction with the delegatee in the generation of temporary re-encryption keys and avoiding the reliance on a time server.

17

R – Keygen(λ): user i sets his public key as a pair pki = (Xi = gxi , Yi = gyi ) with (xi , yi ) ← (Z∗p )2 . Those values implicitly define a function Fi : {1, . . . , L} → G such that Fi (ℓ) = gℓ · Yi .

– ReKeygen(ski , pkj , ℓ): given user i’s private key ski = (xi , yi ), the public key pkj = (Xj , Yj ) of user j and a period number ℓ ∈ {1, . . . , L}, the delegator i generates a unidirectional re-encryption key for period ℓ as
1/x Rijℓ = (Aijℓ , Bijℓ ) = Xj i · Fi (ℓ)r , Xir where Xi , Yi are part of i’s key pki , r ∈ Z∗p is a randomly chosen exponent.

– Enc1 (m, pki , ℓ, par): to encrypt m ∈ GT under the public key pki = (Xi , Yi ) at the first level R during period ℓ, choose s, t1 , t2 ← Z∗p and output C′j = (ℓ, C0 , C1′ , C1′′ , C1′′′ , C2′ , C2′′ , C2′′′ , C3 , C4 , σ) where C0 = svk

C3 = e(g, g)s · m

C4 = (usvk · v)s

σ = S(ssk, (ℓ, C3 , C4 )),

R for a freshly generated one-time key pair (ssk, svk) ← G(λ), and

C1′ = Xit1

C1′′ = (Fi (ℓ) · g)1/t1

C2′ = Fi (ℓ)t2

C2′′ = Xi

1/t2

C1′′′ = Xist1 C2′′′ = Fi (ℓ)st2 .

– Enc2 (m, pki , ℓ, par): to encrypt m ∈ GT under the public key pki = (Xi , Yi ) at level 2, the sender does the following. R 1. Generate a one-time key pair (ssk, svk) ← G(λ) and set C0 = svk. R ∗ 2. Pick a random exponent s ← Zp and compute C as   s s s svk s C = (ℓ, C0 , C1 , C2 , C3 , C4 , σ) = ℓ, svk, Xi , Fi (ℓ) , e(g, g) · m, (u · v) , σ where σ = S(ssk, (ℓ, C3 , C4 )).

– ReEnc(Rijℓ , Ci , ℓ): given the re-encryption key Rijℓ = (Aijℓ , Bijℓ ) and a second level ciphertext Ci = (ℓ, C0 , C1 , C2 , C3 , C4 , σ), reject Ci if its first component ℓ does not match Rijℓ , if V(C0 , (ℓ, C3 , C4 ), σ) 6= 1 or if one of the next equalities fails to hold: e(Xi , C4 ) = e(C1 , uC0 · v).

e(Xi , C2 ) = e(C1 , Fi (ℓ))

(9)

R Otherwise, choose t1 , t2 ← Z∗p and output

C′j = (ℓ, C0 , C1′ , C1′′ , C1′′′ , C2′ , C2′′ , C2′′′ , C3 , C4 , σ) where 1/t

C1′′′ = C1t1 = Xist1

1/t

C2′′′ = C2t2 = Fi (ℓ)st2 .

C1′ = Xit1

C1′′ = Aijℓ 1

C2′ = Fi (ℓ)t2

C2′′ = Bijℓ 2

– Dec1 (Cj , skj ): given skj = (xj , yj ), parse Cj as (ℓ, C0 , C1′ , C1′′ , C1′′′ , C2′ , C2′′ , C2′′′ , C3 , C4 , σ). Return ‘invalid’ if V(C0 , (ℓ, C3 , C4 ), σ) 6= 1 or if these relations are not satisfied. e(C1′ , C4 ) = e(C1′′′ , uC0 · v) e(C2′ , C4 ) e(C1′ , C1′′ )

=

e(C2′′′ , uC0

· v)

e(C2′ , C2′′ ).

= e(Xj , g) ·
1/xj Otherwise, return m = C3 · e(C2′′ , C2′′′ )/e(C1′′ , C1′′′ ) . 18

(10) (11) (12)

– Dec2 (Ci , ski ): parse Ci as Ci = (C0 , C1 , C2 , C3 , C4 , σ) and ski as (xi , yi ). Return ‘invalid’ if V(C0 , (ℓ, C3 , C4 ), σ) 6= 1 or if relation (9) does not hold. Otherwise, return m = C1 /e(C3 , g)1/xi . As in section 4, the correctness of the re-encryption procedure follows from the fact that reencryption keys Rijℓ = (Aijℓ , Bijℓ ) satisfy 1/xi

e(Aijℓ , Xi ) = e(Xj

, Xi ) · e Fi (ℓ)r , Xi

= e(Xj , g) · e(Fi (ℓ), Bijℓ ).




When raising both members to the power s ∈ Z∗p , we find
e(Xis , Aijℓ ) = e(Xj , g)s · e Fi (ℓ)s , Bijℓ .

Since C4 = (uC0 · v)s , where s ∈ Z∗p is the encryption exponent, relations (10)-(11) imply that C1′′′ = C1′ s and C2′′′ = C2′ s . From (12), it comes that e(C1′′ , C1′′′ ) = e(Xj , g)s . e(C2′′ , C2′′′ ) The scheme is slightly less efficient and features longer ciphertexts than in section 3. On the other hand, it offers security guarantees in a stronger model. As established by the next two theorems, its security additionally rests on a weaker intractability assumption which is the q-wDBDHI assumption with q = 1. At level 2, the considered security model is a straightforward extension (where the adversary chooses both a target user i⋆ and a target period ℓ⋆ that the end of the “find” stage) of the one expressed by definition 3 with simple restrictions: the adversary is not allowed to query delegations from user i⋆ for the attacked period ℓ⋆ . In addition, she is disallowed to query the re-encryption of the challenge pair (pki⋆ , C ⋆ ) during the target period ℓ⋆ or a first level decryption of its derivatives (the notion of derivative being generalized by imposing that a second level encryption and its derivatives pertain to the same period number). Theorem 3. If Sig is a strongly secure one-time signature, the scheme with temporary delegation is RCCA-CK-secure at level 2 under the 1-wDBDHI assumption. ?

Proof. We show how to solve a 1-wDBDHI instance (g, A = ga , B = gb , T = e(g, g)b/a ) using an RCCA adversary A in the chosen key model. As in previous proofs, we first call FOTS the event the A comes up with a query on a valid ciphertext including components (svk, ℓ, C3 , C4 , σ) such that svk = svk⋆ is the same as in the challenge phase but (ℓ, C3 , C4 , σ) 6= (ℓ⋆ , C3⋆ , C4⋆ , σ ⋆ ). In the “find” stage, A has simply no information on svk⋆ so that FOTS occurs with probability at most qO · δ if qO is the overall number of oracle queries and δ denotes the maximal probability (which does not exceed 1/p) that any one-time verification key svk is produced by G. In the “guess” stage, FOTS clearly gives rise to an algorithm breaking the strong unforgeability of the one-time signature. Therefore, the probability Pr[FOTS ] ≤ qO /p + Adv OTS , where Adv OTS denotes the maximal probability of defeating the one-time signature security, must be negligible by assumption. We now describe a 1-wDBDHI solver B. In a preparation phase, the latter generates a onetime key pair (ssk⋆ , svk⋆ ) ← G(λ) and provides A with public parameters including u = gα1 ⋆ R and v = g−α1 svk · Aα2 for random α1 , α2 ← Z∗p . Observe that u and v define a function ⋆ F (svk) = usvk · v = gα1 (svk−svk ) · Aα2 . In the model that extends definition 3, B has to guess upfront the honest user that will be A’s prey. In addition, it must foresee the time period ℓ⋆ for which the challenge ciphertext will have to be generated. Hence, B draws two integers 19

R R i⋆ ← HU = {1, . . . , N } as ℓ⋆ ← {1, . . . , L}, hoping that the attack will pertain to user i⋆ at period ℓ⋆ (the probability 1/LN of this event is non-negligible as long as L and N are both polynomial). The whole attack environment is then emulated as follows:

• Key generation: - The expected target user’s public key pki⋆ = (Xi⋆ , Yi⋆ ) is chosen as Xi⋆ = A = ga , ⋆ R Yi⋆ = g−ℓ · Ayi⋆ for a randomly chosen yi⋆ ← Z∗p . The corresponding private key ski includes the unknown exponent x ˜i⋆ = a. ⋆ - For other users i ∈ HU \{i }, public keys are chosen as Xi = Axi = gaxi , Yi = gyi , with R Z∗p , so that the first element of the underlying secret key is x ˜i = axi . xi , yi ← - To generate re-encryption keys Rijℓ for players i, j ∈ HU and period ℓ, B can first com1/˜ x pute Xj i which in turn allows for the generation of Rijℓ for known random exponents r ∈ Z∗p (alternatively, it can be directly given to the adversary as a meta-key enabling the generation of keys for all periods). Three situations must be distinguished: 1/˜ x

- If i ∈ HU \{i⋆ } and j = i⋆ , B can compute Rii⋆ using Xi⋆ i = g1/xi which yields a 1/˜ x correct key since g1/xi = (ga )1/(axi ) = Xi⋆ i . 1/˜ x⋆ - If i = i⋆ and j ∈ HU \{i⋆ }, B computes Ri⋆ jℓ using Xj i = gxj which has the 1/˜ xi⋆

correct shape since gxj = (gaxj )1/a = Xj - If i, j ∈ HU \{i⋆ },

1/˜ x Xj i

.

= gxj /xi is also computable since x ˜i = axi , x ˜j = axj .

• Queries: - Delegation queries: the simulator halts and declares failure if A ever queries a reencryption key Ri⋆ jℓ⋆ for a delegatee j 6∈ HU (which means that B was unfortunate in its choice of i⋆ and ℓ⋆ at the beginning of the game). Otherwise, - For a query involving a honest delegator i ∈ HU \{i⋆ } and a delegatee’s public key pkj = (Xj , Yj ) supplied by A (recall that we may have pkj 6= pki for all i ∈ HU , in which case A does not have to reveal the matching skj ), we have Xi = gaxi , Yi = gyi , for known values xi , yi ∈ Z∗p , and B uses techniques from [13] to generate re-encryption R keys Rijℓ . Namely, it chooses r ← Z∗p and outputs

x

  −1/(ℓ+yi ) Rijℓ = gr(ℓ+yi ) , Xir · Xj .

(13)

j If we define r˜ = r − axi (ℓ+y , we observe that Rijℓ has the required distribution since i)

1/˜ xi

Xj

1/axi

· (gℓ+yi )r˜

1/axi

· (gℓ+yi )r · (gℓ+yi )

· (gℓ · Yi )r˜ = Xj = Xj

− ax

xj i (ℓ+yi )

= gr(ℓ+yi ) −1/(ℓ+y )

i and Xir˜ = Xir · Xj . We observe that, provided ℓ + yi 6= 0, B can compute both components of (13) without knowing the delegatee’s private key xj = logg (Xj ). Since yi is chosen at random for i ∈ HU \{i⋆ }, the probability to have ℓ + yi 6= 0 for all ℓ ∈ {1, . . . , L} and all i is at least 1 − LN/p, which is overwhelming when L and N are both polynomial in λ.

20

- in the case i = i⋆ and ℓ 6= ℓ⋆ , let pkj = (Xj , Yj ) be the delegatee’s public key supplied ⋆ by A. Since Xi⋆ = A = ga and Yi⋆ = g−ℓ · Ayi⋆ for known values yi⋆ , ℓ⋆ ∈ Z∗p , B can generate re-encryption keys as pairs y ⋆   − i⋆ − 1⋆ Ri⋆ jℓ = (gℓ · Yi⋆ )r · Xj ℓ−ℓ , Xir⋆ · Xj ℓ−ℓ . (14) If we set r˜ = r −

xj a(ℓ−ℓ⋆ ) ,

we see that Ri⋆ jℓ has the proper shape since

1/˜ xi⋆

Xj

· (g ℓ · Yi⋆ )r˜ ⋆

1/a

· (g ℓ−ℓ · Ayi⋆ )r˜

1/a

· (g ℓ−ℓ · Ayi⋆ )r · (g ℓ−ℓ )

= Xj

= Xj

⋆

⋆ −

xj a(ℓ−ℓ⋆ )

y ⋆ xj

·A

i − a(ℓ−ℓ ⋆)

y ⋆

i − (ℓ−ℓ ⋆)

⋆

= (g ℓ−ℓ · Ayi⋆ )r · Xj −1/(ℓ−ℓ⋆ )

and Xir˜⋆ = Xir⋆ ·Xj knowing xj = logg (Xj ).

. Again, the above computation can be carried out without

- Re-encryption queries: for any adversarially-chosen public key pkj = (Xj , Yj ), B can compute re-encryption keys for any delegator i ∈ HU \{i⋆ }. It can also compute Ri⋆ jℓ on behalf of the target user i⋆ whenever ℓ 6= ℓ⋆ . We thus assume that i = i⋆ and ℓ = ℓ⋆ . If relations (9) do not hold, B returns ‘invalid’. Otherwise, · If C0 = svk⋆ , we necessarily have an occurrence of FOTS since, after the challenge phase re-encryptions of C ⋆ to users outside HU are not permitted for period ℓ⋆ . · If C0 6= svk⋆ , i = i⋆ and j 6∈ HU . Given C1 = Xis⋆ = As and C4 = F (svk)s , B can ⋆ ⋆ compute gs = (C4 /C1α2 )1/α1 (svk−svk ) . Also, we have C2 = (gℓ · Yi⋆ )s = Asyi⋆ . Then, R Z∗p to compute B picks t1 , t2 ← C1′ = gt1 · (Ayi⋆ )t1 1/t1

C1′′ = Xj

C1′′′ = (gs )t1 · C2t1 = (gs )t1 · (Asyi⋆ )t1 and 1/t2

C2′ = (Ayi⋆ )t2

C2′′′ = C2t2 = (Asyi⋆ )t2

C2′′ = Xj

and return the re-encrypted ciphertext Cj = (C0 , C1′ , C1′′ , C1′′′ , C2′ , C2′′ , C2′′′ , C3 , C4 , σ) which satisfies the validity test (10)-(12). - First level decryption queries: when a ciphertext Ci = (ℓ, C0 , C1′ , C1′′ , C1′′′ , C2′ , C2′′ , C2′′′ , C3 , C4 , σ) is queried w.r.t. a public key Xi with i ∈ HU at the first level, we necessarily have e(C1′′ , C1′′′ )/e(C2′′ , C2′′′ ) = e(Xi , g)s , for an unknown s ∈ Z∗p , if Ci is valid. Since Xi = Axi , for a known value xi (which equals 1 if i = i⋆ ), and ⋆

e(C4 , g) = e(g, g)α1 s(svk−svk ) · e(A, g)asα2 , B obtains s

e(g, g) =



e(C4 , g) · e(C2′′ , C2′′′ )α2 xi e(C1′′ , C1′′′ )α2 xi



1 α1 (C0 −svk⋆ )

(15)

which reveals the plaintext m = C3 /e(g, g)s as long as svk 6= svk⋆ . In the event that C0 = svk⋆ after the challenge phase, 21

- If ℓ 6= ℓ⋆ , we have an occurrence of FOTS since ℓ is signed along with C3 and C4 in both encryption algorithms. - If ℓ = ℓ⋆ and C4 = C4⋆ , B returns ⊥ to indicate that Ci is a re-randomization (and thus a Derivative) of the challenge ciphertext. - Otherwise, we have (C3⋆ , C4⋆ , σ ⋆ ) 6= (C3 , C4 , σ) and thus another occurrence of FOTS . Again, when handling post-challenge queries, B only returns m if m 6∈ {m0 , m1 }. • Challenge: when A comes up with messages m0 , m1 ∈ GT and indices i ∈ HU , ℓ ∈ {1, . . . , L}, B aborts if i 6= i⋆ or ℓ 6= ℓ⋆ . With probability 1/LN , such an undesirable event is avoided R and, we have gℓ · Yi = Ayi⋆ . Then, B draws d⋆ ← {0, 1} and constructs the challenge C⋆ as C0⋆ = svk⋆

C1⋆ = B

C2⋆ = B yi⋆

C3⋆ = md⋆ · T

C4⋆ = B α2

and σ ⋆ = S(ssk⋆ , (C3⋆ , C4⋆ )). As one can see, C⋆ encrypts md⋆ under pki⋆ with the random exponent s = b/a if T = e(g, g)b/a whereas A’s view is independent of d⋆ if T is random. As usual, B outputs 1 (meaning that T = e(g, g)b/a ) if A successfully guesses d⋆ and returns 0 otherwise. ⊓ ⊔ At level 1, the model does not change and the adversary can still query all re-encryption keys without restrictions. Theorem 4. Assuming the strong unforgeability of the one-time signature, the scheme is RCCACK-secure at level 1 under the 1-wDBDHI assumption. Proof. Let A be a RCCA adversary at level 1. We show an algorithm B that decides if T = e(g, g)b/a given (g, A = ga , B = gb ). Let C⋆ = (ℓ⋆ , C0⋆ , C1′⋆ , C1′′⋆ , C1′′′⋆ , C2′⋆ , C2′′⋆ , C2′′′⋆ , C3⋆ , C4⋆ , σ ⋆ ) be the challenge ciphertext. As above, we start by defining an event FOTS which is the same as in the proof of theorem 3. Assuming the strong security of the one-time signature, this event comes about with negligible probability as detailed in the proof of prior theorems. We now describe our simulator B that simply halts and outputs a random bit if FOTS ever happens. As in the previous proof, the simulator B picks a one-time key pair (ssk⋆ , svk⋆ ) ← G(λ) and ⋆ R Z∗p , so that we have sets up public parameters as u = gα1 and v = g−α1 svk · Aα2 , with α1 , α2 ← ⋆ F (svk) = usvk · v = gα1 (svk−svk ) · Aα2 . The adversary’s view is then simulated as follows. R • Key generation: B generates a public key pk0 = (X0 , Y0 ) = (A, gy ), for a random y ← Z∗p , so that sk0 = (˜ x0 , y˜0 ) = (a, y) is the implicitly defined secret.

• Delegation queries: at any time, A can output a public key (Xj , Yj ) of her choosing and a time period ℓ and request B to generate a re-encryption key R0jℓ on behalf of user 0 acting as a delegator. Since X0 = A and Y0 = gy for a known value y ∈ Z∗p , B can proceed as in R the proof of theorem 3 by drawing r ← Z∗p and returning   −1/(ℓ+y) R0jℓ = gr(ℓ+y) , X0r · Xj . (16) which has the correct distribution since, if we define r˜ = r − 1/˜ x0

Xj

xj a(ℓ+y) ,

1/a

· (gℓ+y )r˜

1/a

· (gℓ+y )r · (gℓ+y )

· (gℓ · Y0 )r˜ = Xj = Xj

= gr(ℓ+y) 22

x

we have

j − a(ℓ+y)

−1/(ℓ+y)

and X0r˜ = X0r · Xj . Both parts of (16) are computable (without knowing the discrete logarithm xj = logg (Xj )) whenever ℓ + y 6= 0. Since y is drawn at random, this is the case for any ℓ ∈ {1, . . . , L} with probability at least 1 − L/p. • First level decryption queries: when faced with a decryption query for a first level ciphertext C = (ℓ, C0 , C1′ , C1′′ , C1′′′ , C2′ , C2′′ , C2′′′ , C3 , C4 , σ) , B returns ‘invalid’ if relations (10)-(12) do not hold. If they do, we must have e(C1′′ , C1′′′ )/e(C2′′ , C2′′′ ) = e(X0 , g)s where s is the unknown exponent such that C4 = (uC0 · v)s . Therefore, as in the proof of theorem 3, B can compute s

e(g, g) =



e(C4 , g) · e(C2′′ , C2′′′ )α2 e(C1′′ , C1′′′ )α2



1 α1 (C0 −svk⋆ )

(and the plaintext) as long as C0 6= svk⋆ . If C0 = svk⋆ in a post-challenge query, - If C4 = C4⋆ , B returns ⊥ to indicate that C is a re-randomization of the challenge ciphertext. - Otherwise, we necessarily have an occurrence of FOTS and B terminates. To comply with replayable CCA security rules after the challenge phase, B must always check that m 6∈ {m0 , m1 } before answering the query. • Challenge: at the challenge step, A outputs messages (m0 , m1 ) and a time period ℓ⋆ . B tosses R R a coin d⋆ ← {0, 1}. It chooses t1 , µ ← Z∗p and prepares the challenge C⋆ as ⋆

C1′ = At1 ⋆

C2′ = Aµ(ℓ

⋆ +y)

C0⋆ = svk⋆

C1′′ ⋆ = (gℓ

⋆ +1

· Y0 )1/t1

⋆

C1′′′ = B t1 ⋆

C2′′ ⋆ = g1/µ

C2′′′ = B µ(ℓ

C3⋆ = md⋆ · T

C4⋆ = B α2

⋆ +y)

and σ = S(ssk⋆ , (ℓ⋆ , C3⋆ , C4⋆ )). Recall that X0 = A, Y0 = gy and B = gb . Whenever T = e(g, g)b/a , C⋆ is a valid encryption of md⋆ with the encryption exponent s = b/a and the blinding exponents t1 , t2 = aµ. When T is random, C⋆ leaks no information on md⋆ or the bit d⋆ ∈ {0, 1}. Finally, B bets that T = e(g, g)b/a if A correctly guesses d⋆ and that T is random otherwise. ⊓ ⊔ 4.2

A Non-Temporary PRE in the Chosen-Key Model

In settings where delegations should be permanent rather than temporary, one can simply instantiate the above scheme with a single time period. In this case, the scheme can be further simplified by defining the functions Fi as constants Fi = Yi for any user i. 4.3

PRE with Windowed Delegation

It may happen that temporary delegations should take place during several consecutive time periods whereas these periods should be short enough to give fine-time granularity. For instance, the delegator may want to set up his public key for one-day periods and grant specific decryption rights during several months. In such situations, the temporary PRE suggested in section 4.1 requires the generation of a new re-encryption key at each time period, and thus incurs reencryption keys that have linear length in the duration of the delegation. By appropriately modifying the scheme using ideas borrowed from forward-secure public key encryption [21, 14], re-encryption key sizes can be decreased from O(∆L) to O(log2 (∆L)), where ∆L denotes the length of the windowed delegation (i.e., the number periods during which translation keys should be effective). Each user’s public key now comprises O(log L) additional 23

group elements hi,0 , hi,1 , . . . hi,θ ∈ G, where L = 2θ − 1 is the total number of periods that the key is prepared for. The scheme described in section 4.1 bears salient resemblance with the selective-ID secure IBE scheme of Boneh-Boyen [13]: indeed, the function Fi (ℓ) = gℓ · Yi applies the Boneh-Boyen identity hashing by seeing period numbers ℓ as identities. For such windowed delegations, the Q forementioned number theoretic hash function is more convenient to instantiate k as Fi (ℓ) = hi,0 · θk=1 hℓi,k , using the binary expansion ℓ = ℓ1 . . . ℓθ ∈ {0, 1}θ of ℓ. We imagine binary tree of height θ + 1 where the root (at depth 0) has label ε. When a node at depth ≤ θ has label w, its children are labeled with w0 and w1. The leaves of the tree correspond to time periods in the obvious way, periods being indexed from 0 to L − 1 and stage ℓ being associated with the leaf labeled by ℓ1 . . . ℓθ . Let use assume that a delegator i holds a public key pki = (Xi = gxi , hi,0 , hi,1 , . . . , hi,θ ) and wishes to delegate to user j, whose public key pkj includes Xj = gxj , during periods {L0 + 1, . . . , L1 }. First, to each tree node with label w = w1 . . . wd at depth d ≤ θ, user i assigns the node key Rij,w =

1/x Xj i

· (hi,0 ·

d Y

r r r k r hw i,k ) , Xi , hi,d+1 , . . . , hi,θ

k=1




according the Boneh-Boyen-Goh HIBE system [14] (by seeing (w1 , . . . , wd ) ∈ {0, 1}d as a vector of binary identities). As in [14], such a node key allows iteratively deriving similar keys for all w’s descendants until reaching the leaves for which keys only consist of 1/xi

Rij,ℓ = Xj

· (hi,0 ·

θ Y

k=1

k r hℓi,k ) , Xir




and actually suffice to re-encrypt ciphertexts during period ℓ = ℓ1 . . . ℓθ ∈ {0, 1}θ . To allow re-encryptions for a window {L0 + 1, . . . , L1 } of ∆L = L1 − L0 time periods, the delegator only provides the proxy with the smallest set of node keys that contains an ancestor of each leaf falling in {L0 + 1, . . . , L1 } (and no ancestor of leaves outside this interval). Then, the proxy only has to store O(log2 (∆L)) group elements instead of O(∆L) using the method of section 4.1. The price to pay is that a stronger assumption (i.e., the θ-wDBDHI assumption where θ = O(log L) > 1) is needed to prove security results in a security model that naturally extends the one used in 4.1. Namely, at level 2 (the model obviously does not change at level 1), security is captured by a game where the attacked period ℓ⋆ must be outside the union of all timewindows for which the adversary has requested delegations from the target user. We omit to give detailed security proofs here but it is not hard to convince oneself that security in this game more or less trivially follows from the selective-ID security of the underlying HIBE [14]. 4.4

Introducing Warrants and Keywords in Proxy Re-Encryption

It may be desirable for delegators to only permit the re-encryption of ciphertexts that are tagged with specific keywords. For example, a traveling businessman may want the proxy to only redirect incoming encrypted emails to his secretary when the tagged keyword is “urgent”. Rather than keywords, second level ciphertexts can be tagged with a warrant that specifies conditions under which re-encryption should be permitted. A natural way to impose such restrictions is to introduce these warrants or keywords in re-encryption keys in such a way that proxies will be limited to only translate a particular class of ciphertexts. The above scheme is actually amenable to provide warrant-based and keyword-based delegations. It suffices to replace the Boneh-Boyen [13] identity hashing Fi (ℓ) = gℓ · Yi with Waters’ adaptive-ID secure identity hashing [45] Fi : {0, 1}n → G that, on input of n-bit strings 24

Q wk W = w1 . . . , wn ∈ {0, 1}n , calculates Fi (W ) = Ui,0 · nk=1 Ui,k using a random (n + 1)-vector n+1 U i = (Ui,0 , Ui,1 , . . . , Ui,n ) ∈ G that supersedes Yi in user i’s public key. To generate a reencryption key using a delegatee’s public key pkj = (Xj , U j ) and the warrant W , the delegator i computes 1/x Rij,W = (Aij,W , Bij,W ) = (Xj i · Fi (W )r , Xir ). Such a key only allows translating second level ciphertexts that are calculated as per   C = (W, C0 , C1 , C2 , C3 , C4 , σ) = W, svk, Xis , Fi (W )s , e(g, g)s · m, (usvk · v)s , σ , (17)

where σ = S(ssk, (W, C3 , C4 )). The security proofs (in a model that naturally generalizes the one of the scheme with temporary delegation) rely on the same assumption but with a looser reduction due to the use of Waters’ technique. Identity-based techniques and proxy re-encryption can be mixed in several settings. Other extensions are indeed possible in a natural analogue of the selective-ID security model [13] for IBE schemes (i.e., a model defined by selective-keyword games where the adversary should choose the target keyword upfront and before seeing any public key). By borrowing ideas from the identity-based broadcast encryption with constant-size ciphertexts (derived from the BonehBoyen-Goh [14] hierarchical IBE) suggested in [1], we can construct a keyword-based PRE where ciphertexts are tagged with multiple keywords. Re-encryption is then permitted as long as the proxy has a translation key corresponding to at least one of them. In this case, ciphertexts retain constant (i.e., independent of the number of tagging keywords) size at the expense of private keys that have quadratic size in the maximal number of keywords that a ciphertext can be associated with. Using ideas from Sahai-Waters [41], one can also imagine to design keyword-based PRE systems with error-tolerance: the proxy is allowed to re-encrypt ciphertexts if it holds a translation key for a keyword being sufficiently close (according to some metric) to that of the ciphertext. More generally, if ciphertexts are tagged with a set of descriptive attributes, attribute-based encryption techniques [30] can even be used to enable re-encryption when ciphertext attributes fit the access structure of the re-encryption key.

5

Conclusions and Open Problems

We presented the first unidirectional PRE realizations with chosen-ciphertext security in the standard model (i.e., without using the random oracle heuristic). We also refined our security definitions by allowing adversaries to introduce arbitrary delegatees’ public keys in the system. To the best of our knowledge, these are the first security results in the so-called chosen key model for the proxy re-encryption primitive. One of the new schemes additionally allows for temporary delegations and other extensions. Many open problems still remain. One of them would be to devise secure schemes in a fully adaptive corruption model. The very existence of collusion-resistant multi-hop unidirectional systems dwells a (perhaps even more) challenging open question. Canetti and Hohenberger [19] also mentioned the problem of securely obfuscating CCA-secure re-encryption. Ateniese, Benson and Hohenberger [6] raised the one of key-private PRE in the chosen-ciphertext setting. It would also be interesting to efficiently implement such primitives outside bilinear groups (recent results [16] in the context of identity-based encryption may be encouraging in these regards).

25

References 1. M. Abdalla, E. Kiltz, G. Neven. Generalized Key Delegation for Hierarchical Identity-Based Encryption. In ESORICS’07, LNCS 4734, pp. 139–154. Springer, 2007. 2. J.-H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In Eurocrypt’02, LNCS 2332, pages 83–107. Springer, 2002. 3. G. Ateniese, K. Fu, M. Green, S. Hohenberger. Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage. In NDSS, 2005. 4. G. Ateniese, K. Fu, M. Green, S. Hohenberger. Improved proxy re-encryption schemes with applications to secure distributed storage. In ACM TISSEC , 9(1): pp. 1–30, 2006. 5. G. Ateniese, S. Hohenberger. Proxy re-signatures: new definitions, algorithms, and applications. In ACM Conference on Computer and Communications Security, pages 310–319, ACM Press, 2005 6. G. Ateniese, K. Benson, S. Hohenberger. Key-Private Proxy Re-Encryption. Cryptology ePrint Archive: Report 2008/463, 2008. 7. M. Bellare, O. Goldreich. On defining proofs of knowledge. In Crypto’92, pp. 390–420, 1993. 8. M. Bellare, T. Kohno, V. Shoup. Stateful public-key cryptosystems: how to encrypt with one 160-bit exponentiation. In ACM CCS’06 pp. 380–389, ACM Press, 2006. 9. M. Bellare, P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM CCS’93, pp. 62–73, ACM Press, 1993. 10. M. Bellare, G. Neven. Multi-signatures in the plain public-Key model and a general forking lemma. In ACM CCS, pp. 390–399, 2006. 11. M. Blaze, G. Bleumer, M. Strauss. Divertible Protocols and Atomic Proxy Cryptography. In Eurocrypt’98, LNCS 1403, pages 127–144, 1998. 12. A. Boldyreva. Efficient Threshold Signature, Multisignature and Blind Signature Schemes Based on the Gap-Diffie-Hellman-group Signature Scheme. In PKC, pp. 31–46, 2003. 13. D. Boneh, X. Boyen. Efficient selective-ID secure identity based encryption without random oracles. In Eurocrypt’04, LNCS 3027, pp. 223–238. Springer, 2004. 14. D. Boneh, X. Boyen, E.-J. Goh. Hierarchical Identity Based Encryption with Constant Size Ciphertext. In Eurocrypt’05, LNCS 3494, pp. 440–456, 2005. Extended version available from Cryptology ePrint Archive: Report 2005/015. 15. D. Boneh, M. Franklin. Identity-based encryption from the Weil pairing. In Crypto’01, LNCS 2139, pp. 213–229. Springer, 2001. 16. D. Boneh, C. Gentry and M. Hamburg Space-Efficient Identity Based Encryption Without Pairings. In FOCS’07, to appear. 17. X. Boyen, Q. Mei, B. Waters. Direct Chosen Ciphertext Security from Identity-Based Techniques. In ACM CCS’05, ACM Press, pages 320–329, 2005. 18. X. Boyen, B. Waters. Anonymous Hierarchical Identity-Based Encryption (Without Random Oracles). In Crypto’06, LNCS 4117, pages 290–307. Springer, 2006. 19. R. Canetti, S. Hohenberger. Chosen-Ciphertext Secure Proxy Re-Encryption. In ACM CCS’07. pages 185– 194. ACM Press, 2007. 20. R. Canetti, H. Krawczyk, J. B. Nielsen. Relaxing Chosen-Ciphertext Security. In Crypto’03, LNCS 2729, pages 565–582. Springer, 2003. 21. R. Canetti, S. Halevi, J. Katz. A forward secure public key encryption scheme. In Eurocrypt’03, volume 2656 of LNCS, pages 254–271. Springer, 2003. 22. R. Canetti, S. Halevi, J. Katz. Chosen-Ciphertext Security from Identity-Based Encryption. In Eurocrypt’04, LNCS 3027, pp. 207–222, Springer, 2004. 23. C.-K. Chu, W. G. Tzeng. Identity-Based Proxy Re-encryption Without Random Oracles. In ISC’07, LNCS 4779, pp. 189–202, Springer, 2007. 24. Y. Dodis, A.-A. Ivan. Proxy Cryptography Revisited. In NDSS’03, 2003. 25. Y. Dodis, A. Yampolskiy. A Verifiable Random Function with Short Proofs and Keys. In PKC’05, LNCS 3386, pages 416–431, Springer, 2005. 26. T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In Crypto’84, LNCS 196, pages 10–18. Springer, 1985. 27. M. Fischlin. Communication-Efficient Non-interactive Proofs of Knowledge with Online Extractors. In Crypto’05, LNCS 3621, pp. 152–168, 2005. 28. R. Granger, N. P. Smart. On Computing Products of Pairings. Cryptology ePrint Archive: Report 2006/172, 2006. 29. M. Green, G. Ateniese. Identity-Based Proxy Re-encryption. In ACNS’07, LNCS 4521, pages 288–306. Springer, 2007. 30. V. Goyal, O. Pandey, A. Sahai, B. Waters. Attribute-based encryption for fine-grained access control of encrypted data. In ACM CCS’06, pp. 89–98, 2006.

26

31. S. Hohenberger. Advances in Signatures, Encryption, and E-Cash from Bilinear Groups. Ph.D. Thesis, MIT, May 2006. 32. S. Hohenberger, G. N. Rothblum, a. shelat, V. Vaikuntanathan. Securely Obfuscating Re-encryption. In TCC’07, LNCS 4392, pages 233–252. Springer, 2007. 33. M. Jakobsson. On Quorum Controlled Asymmetric Proxy Re-encryption. In PKC’99, LNCS 1560, pages 112–121. Springer, 1999. 34. E. Kiltz. Chosen-Ciphertext Security from Tag-Based Encryption. In TCC’06, LNCS 3876, pp. 581–600. Springer, 2006. 35. E. Kiltz. On the Limitations of the Spread of an IBE-to-PKE Transformation. In PKC’06, LNCS 3958, pp. 274–289, Springer, 2006. 36. E. Kiltz, D. Galindo. Direct Chosen-Ciphertext Secure Identity-Based Key Encapsulation without Random Oracles. In ACISP’06, LNCS 4058, pp. 336–347 Springer, 2006. 37. B. Libert, D. Vergnaud. Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption. In PKC’08, LNCS 4939. Springer, 2008. 38. M. Mambo, E. Okamoto. Proxy Cryptosystems: Delegation of the Power to Decrypt Ciphertexts. In IEICE Trans. Fund. Elect. Communications and CS, E80-A/1, pages 54–63, 1997. 39. M. Naor. On Cryptographic Assumptions and Challenges. In Crypto’03, LNCS 2729, pp. 96–109. Springer, 2003. 40. C. Rackoff and D. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Crypto’91, LNCS 576, pages 433–444. Springer, 1991. 41. A. Sahai, B. Waters. Fuzzy Identity-Based Encryption In Eurocrypt’05, LNCS 3494, pp. 457–473. Springer, 2005. 42. A. Shamir. Identity based cryptosystems and signature schemes. In Crypto’84, LNCS 196, pages 47–53. Springer, 1984. 43. V. Shoup. A proposal for the ISO standard for public-key encryption (version 2.1). manuscript, 2001. http://shoup.net/. 44. G. Taban, A. C´ ardenas, V. D. Gligor. Towards a secure and interoperable DRM architecture. In DRM’06, ACM workshop on Digital rights management, pp. 69–78. ACM, 2006. 45. B. Waters. Efficient Identity-Based Encryption Without Random Oracles. In Eurocrypt’05, LNCS 3494, pages 114–127. Springer 2005.

27